ITAR Compliance vs ISO Certification

Is ITAR compliance an on-going continual functioning system of processes or binary on or off, yes or no?


A prospective client asks for help to become “ITAR Compliant”. Our first question is what is the contractual requirement? Did the PO simply state “ITAR Compliant” or do you need to apply for a license, where there any additional details provided?

Answer: None, PO simply states that we need to be “ITAR Compliant”. In reality this is often the case, the customer fails to precisely define their requirements. 

Lets consider the following definitions:

Compliance is the ability to meet contractual obligations and a declaration is a formal statement, proclamation or announcement.

Unlike ISO, there are no certificates showing compliance to the ITAR. ANAB and ISO registrars cannot certify an organization as “ITAR Compliant”.  

So questions remain, how does an organization or more precisely, a manufacturer of defense articles proceed? Do they declare ITAR compliance upon being DDTC registered?

Here is an interesting question for you ethics and compliance gurus, is an organization ITAR compliant up until the point of a violation as per Part 127, or are like ISO registered organizations who have received Major or Minor findings during an audit, do they remain compliant even with nonconformities? 

If you need help with these questions drop us an email, our business is “Compliance Delivered”.